Apple launched its newest operating system, macOS Sierra 10.12, on Tuesday and aside from new and interesting features, it has a large number of important security fixes.
The new OS patches 65 vulnerabilities in various core and third-party components. Some of these vulnerabilities are critical and can result in arbitrary code execution with kernel privileges.
Flaws that allow local applications to execute malicious code with kernel or system privileges were fixed in Apple’s HSSPI support component, AppleEFIRuntime, AppleMobileFileIntegrity, AppleUUC, the Bluetooth stack, DiskArbitration, the Intel Graphics Driver, the IOAcceleratorFamily and IOThunderboltFamily, the S2 Camera, the Security service and the kernel itself.
A vulnerability patched in the WindowsServer could also be exploited by a local user to gain root privileges.
Aside from these flaws, which require an attacker to have local access through an account or application, Apple patched vulnerabilities that could allow for remote attacks.
For example, a flaw in the audio component could be exploited remotely to execute arbitrary code, while a kernel vulnerability could allow an attacker to remotely trigger a denial-of-service condition. A flaw in the Apache web server could be exploited remotely to proxy traffic through an arbitrary server and another one in the Kerberos v5 PAM module could allow attackers to enumerate accounts.
In addition to macOS Sierra 10.12, which is available as an update for OS X El Capitan 10.11.6 on supported devices, Apple also released Safari 10 for earlier OS X versions. This Safari release also fixes 26 vulnerabilities, many of which could be exploited through malicious web content to achieve remote code execution.
Apple will continue to release security updates for OS X El Capitan and OS X Yosemite, even if users don’t upgrade to macOS Sierra. However, OS X Mavericks is likely no longer supported.